acfsutil encr rekey

Purpose

Generates a new key and re-encrypts volume or file.

Syntax and Description

acfsutil encr rekey -h
acfsutil encr rekey -m mount_point
     {-f [-r] path [path…] |-v } [-a {AES} -k {128|192 |256}]

acfsutil encr rekey -h displays help text and exits.

Table 16-82 contains the options available with the acfsutil encr rekey command.


Table 16-82 Options for the acfsutil encr rekey command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-f [-r] path ...

Generates a new file encryption key for the specified path and then encrypts the data with the new key.

If -r is specified, the rekey operation is performed recursively under path.

path specifies the absolute or relative path of a directory. Multiple path values are allowed.

-v

Generates a new volume encryption key (VEK) for the specified mount point and then encrypts all the file encryption keys in file system with the new key. Prompts for the wallet password because the wallet must be accessed to store the new VEK.

The generated key is stored in the key store that was previously configured with the acfsutil encr init command.

-a algorithm

Specifies the algorithm. Advanced Encryption Standard (AES) is the only encryption supported for this release.

-k key_length

Specifies the key length for the directory or file specified by path.


This command cannot be run on security realm-protected files.

The default values for the -a and -k are determined by the volume parameters specified when acfsutil encr set was run.

The path option can specify a path to a file or directory in a read-write snapshot. If the -r option is specified with the command on the root directory, the command does not transverse the snapshots under the .ACFS directory. If a rekey operation is specified at the file system level, then the operation does not process files and directories of snapshots in the .ACFS/snaps/ directory.

If Oracle Key Vault is the key store for the file system, then the Oracle Key Vault home environmental variable (OKV_HOME) must be set when using the -v option to generate a new volume key. If the client was configured to use a password with Oracle Key Vault, then the same password must be entered when prompted.

See Also:

Oracle Key Vault Administrator's Guide for information about Oracle Key Vault

Only a user with root or system administrator privileges can run this command with the -v option. The file owner can also run this command with the -f option to rekey encryption on the directory or file.

Examples

The following are examples of the use of acfsutil encr rekey.

Example 16-75 Using the acfsutil encr rekey command

# /sbin/acfsutil encr rekey -m /acfsmounts/acfs1 -v

# /sbin/acfsutil encr rekey -m /acfsmounts/acfs1 -f
                            -r /acfsmounts/acfs1/myfiles